Granting Permissions to Roles
In CDH, the ROLE/GROUP semantics are different from those semantics in CDP. Hive 3 requires a tightly controlled file system and computer memory resources, replacing flexible boundaries that earlier Hive versions allowed.
Definitive boundaries increase predictability. Greater file system control improves security. This model offers stronger security than other security schemes and better policy management.
Before Upgrade to CDP
In CDH, Sentry was recommended for CDH policy management. CDH supported GRANT ON ROLE semantics.
After Upgrade to CDP
The major authorization model in Hive 3 is Ranger, not Sentry. If migrating from CDH, move away from Sentry toward Apache Ranger. GRANT ON ROLE semantics are not supported.
Use GRANT semantics supported in CDP, for example, to set up file system permissions:
Use the semantics described in Configuring a resource-based policy: Hive.
GRANT <permissions> ON TABLE <table> TO USER <user or group>;